github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-27 21:33:38 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
98d400f7b5
discourse/spec/requests/examples/invalid_limit_params.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

24 lines
714 B
Ruby
Raw Normal View History

SECURITY: Impose a upper bound on limit params in various controllers What is the problem here? In multiple controllers, we are accepting a `limit` params but do not impose any upper bound on the values being accepted. Without an upper bound, we may be allowing arbituary users from generating DB queries which may end up exhausing the resources on the server. What is the fix here? A new `fetch_limit_from_params` helper method is introduced in `ApplicationController` that can be used by controller actions to safely get the limit from the params as a default limit and maximum limit has to be set. When an invalid limit params is encountered, the server will respond with the 400 response code.
2023-07-28 19:53:46 +08:00
# frozen_string_literal: true
RSpec.shared_examples "invalid limit params" do |endpoint, max_limit, extra_params|
let(:params) { extra_params&.dig(:params) || {} }
it "returns 400 response code when limit params is negative" do
get endpoint, params: { limit: -1 }.merge(params)
expect(response.status).to eq(400)
end
it "returns 400 response code when limit params is suspicious" do
get endpoint, params: { limit: "1; DROP TABLE users" }.merge(params)
expect(response.status).to eq(400)
end
it "returns 400 response code when limit params exceeds the max limit" do
get endpoint, params: { limit: max_limit + 1 }.merge(params)
expect(response.status).to eq(400)
end
end
Reference in New Issue Copy Permalink